nmap'ing myself
If there a better forum for discussing IPFW, please direct me there. I have a firewall machine running FreeBSD 4.10 connected between my DSL modem and my office switch. It does nat and has a basic set of IPFW rules. It is somewhat locked down (kern_securelevel = 1, other recommendations typical for this configuration). My question is: from a well configured firewall, Should I be able to nmap the public interface using a console session on the firewall itself? Will allowing this compromising security of the machine? Basically, should I even attempt to make this work? What's a good way to test your own firewall without driving down the road (and hacking into an unsecured linksys wireless router just kidding)? Additional info: I am still reading Network Security Hacks by Andrew Lockhart; not sure if this is covered. nmap -v -O -sS my.firewall.com sendto in send_ip_raw: sendto(4, packet, 28, 0, n.n.n.n, 16) = Permission denied. I can nmap to other machine inside and outside my firewall. Machines inside my firewall can nmap machines inside(duh) and outside the firewall. Although doing an nmap from a machine inside my firewall to a machine outside causes the net.inet.ip.fw.dyn_count to grow rather large so I avoid doing this. Same thing if I try to nmap my firewall from a machine inside the firewall. Tried opening up the firewall, still does not work (slightly different error though). ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nmap'ing myself
Norm Vilmer wrote: [ ... ] My question is: from a well configured firewall, Should I be able to nmap the public interface using a console session on the firewall itself? Sure. nmap should return close to zero open ports. Will allowing this compromising security of the machine? nmap doesn't compromise the security of your machine. Having open ports connected to vulnerable services is the primary security risk. Basically, should I even attempt to make this work? What is this? What's a good way to test your own firewall without driving down the road (and hacking into an unsecured linksys wireless router just kidding)? Put another machine on the subnet of your external interface, and do an nmap scan from there. That represents what your ISP would see, or a bad guy who compromised the ISP possibly up through the DSL modem you have. -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nmap'ing myself
Chuck Swiger wrote: Norm Vilmer wrote: [ ... ] My question is: from a well configured firewall, Should I be able to nmap the public interface using a console session on the firewall itself? Sure. nmap should return close to zero open ports. Will allowing this compromising security of the machine? nmap doesn't compromise the security of your machine. Having open ports connected to vulnerable services is the primary security risk. Basically, should I even attempt to make this work? What is this? What's a good way to test your own firewall without driving down the road (and hacking into an unsecured linksys wireless router just kidding)? Put another machine on the subnet of your external interface, and do an nmap scan from there. That represents what your ISP would see, or a bad guy who compromised the ISP possibly up through the DSL modem you have. Sorry about the ambiguity, i was referring to loosening my firewall rules and other settings to allow nmap to work properly. If it should work, then I have things either misconfigured or tightened down too much. Connecting a machine to the public subnet won't work for me. My ISP uses PPPoe, I have one static IP assigned to my firewall's MAC address. I tried it, just to see if it would assign the other machine a dynamic IP if I made a PPPoe connection, but it doesnt. I tried ShieldsUp website, but it did not work from links (gui-less). ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nmap'ing myself
On Thursday 07 October 2004 21:56, Norm Vilmer wrote: Sorry about the ambiguity, i was referring to loosening my firewall rules and other settings to allow nmap to work properly. If it should work, No. Why would you want to deliberately make it easy to make a port scan work? If you're a script kiddie, and randomly port scanning boxes, and one comes up with loads of wide open ports, and a few comes up with either closed or stealth ports, which one do you think you're going to try and attack? then I have things either misconfigured or tightened down too much. Tighten down too much? What is that? -- Cheers, Chris Howells -- [EMAIL PROTECTED], [EMAIL PROTECTED] Web: http://chrishowells.co.uk, PGP ID: 0x33795A2C KDE/Qt/C++/PHP Developer: http://www.kde.org pgp92GBbxFAmF.pgp Description: PGP signature
Re: nmap'ing myself
On Thu, Oct 07, 2004 at 11:22:34PM +0100, Chris Howells wrote: On Thursday 07 October 2004 21:56, Norm Vilmer wrote: Sorry about the ambiguity, i was referring to loosening my firewall rules and other settings to allow nmap to work properly. If it should work, No. Why would you want to deliberately make it easy to make a port scan work? If you're a script kiddie, and randomly port scanning boxes, and one comes up with loads of wide open ports, and a few comes up with either closed or stealth ports, which one do you think you're going to try and attack? He meens be able to do 'nmap localhost'. Yes this should be posible. One of you first rules must be 'allow ip from any to any via lo0'. Also have a look at the port portsentry. Anyone who tries a nmap from the internet whould get denied full access. then I have things either misconfigured or tightened down too much. Tighten down too much? What is that? Not being able to do what you want (other to do). ipfw add 1 deny ip from any to any. That is tightened down to much. -- Alex Please copy the original recipients, otherwise I may not read your reply. WWW: http://www.kruijff.org/alex/FreeBSD/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]